Method and apparatus for secrets injection into containers for 5g network elements

ABSTRACT

A method and system for managing dynamic runtime information provision for a container implementing a Session Management Function (SMF) executed by an electronic device in a 3 rd  generation partnership project (3GPP) 5 th  Generation (5G) mobile network core. The method includes starting a container image load, the container image including at least a secret sub unit and an application sub unit, the application sub unit providing the SMF, determining an input source to provide a secret value for the container, the input source identified by information in the secret sub unit in the container image, and providing the secret value to a destination sub unit of the container.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. application Ser. No.15/813,016, filed Nov. 14, 2017, which is hereby incorporated byreference.

TECHNICAL FIELD

Embodiments of the invention relate to the field of virtualization usingcontainers in a mobile network core; and more specifically, to a processfor container management where there is provisioning for secrets duringcontainer instantiation where the containers include network elements ofa mobile network core.

BACKGROUND

A platform is an operating environment that may execute on physicaland/or virtualized hosts. A physical host is a traditional computingsystem having physical hardware and an operating system. Virtual hostsare operating environments based on the virtualization of the physicalhardware. Virtualization in the area of computing systems is thecreation of a virtual (rather than physical) representation of someaspect of the computing system. Operating system level virtualization isan example of virtualization where a server is virtualized often toprovide more secure hosting environments in server farms, datacenters,cloud computing or similar distributed computing systems. Operatingsystem level virtualization can securely manage fixed physical computingsystem resources amongst a set of users. These users may be fromcompeting entities and thus need to have secured execution environmentsto prevent the other users from gaining access to our interfering withtheir programs.

A platform can be used to manage a set of separate operatingenvironments as containers, virtualization engines or similar instances.The platform manages the physical computing system resources amongst theset of operating environments. The management of resources can bereferred to as a virtualization system. The virtualization system maysupport a container management system, which is a type of virtualizationsystem that is lightweight (i.e., requires less computational andstorage overhead) in comparison to other types of virtualization. Thecontainer management system enables any number of containers or similarentities to execute over any number of physical or virtual hosts as partof the platform. These containers are generated from container images,which are a format for defining code that will execute in the container.

Applications running on the platform are executed within containers orsimilar entities managed by the platform. The containers are a mechanismwhere applications can be controlled to limit the amount of computingresources utilized by the application during execution. The containersare isolated and controlled lightweight processes running on anoperating system or hypervisor. The operating system may be implementedby a physical or virtual host. The containers and the applications theyrun do not have access to any information about other processes of thehost. A container is restricted to a limited set of resources includingprocessor(s), memory, fixed storage and similar resources. The containermay be allotted a fixed set of such resources when it is instantiated.

The use of containers provides advantages for running application. Thecontainers can share runtime code with their host operating system andother containers. This makes the containers lightweight (i.e., lowresource) and portable such that a large number of containers can runacross many hosts as a distributed system and the containers can bemoved between hosts for load balancing of the available resources acrossthe set of hosts. However, such distribution and movement of containersacross a set of hosts makes the monitoring of the condition and lifecycle of the containers more difficult.

The platforms manage and monitor the containers in this distributedenvironment, which may include thousands of containers running acrosshundreds of physical and/or virtual hosts. To monitor the status of thecontainers the platforms and in particular the container managementsystem of the platforms may use a centralized system where everythingabout the managed containers can be known. These systems load containerswhich are stored as images. The container images are composed of anumber of sub units sometimes referred to as layers or packages that maycontain executable code for operating systems, libraries, applicationprogramming interfaces (APIs), applications and similar aspects that areto form a container and that define its functionality.

SUMMARY

In one embodiment, a method and system for managing dynamic runtimeinformation provision for a container implementing a Session ManagementFunction (SMF) executed by an electronic device in a 3^(rd) generationpartnership project (3GPP) 5^(th) Generation (5G) mobile network core.The method includes starting a container image load, the container imageincluding at least a secret sub unit and an application sub unit, theapplication sub unit providing the SMF, determining an input source toprovide a secret value for the container, the input source identified byinformation in the secret sub unit in the container image, and providingthe secret value to a destination sub unit of the container.

In another embodiment, a method of managing dynamic runtime informationprovision for a container implementing an Access and Mobility ManagementFunction (AMF) executed by an electronic device in a 3GPP 5G mobilenetwork core. The method includes starting a container image load, thecontainer image including at least a secret sub unit and an applicationsub unit, the application sub unit providing the AMF, determining aninput source to provide a secret value for the container, the inputsource identified by information in the secret sub unit in the containerimage, and providing the secret value to a destination sub unit of thecontainer.

In another embodiment, an electronic device is in a 3GPP 5G mobilenetwork core, the electronic device configured to implement a containermanagement system, the container management system to support managingdynamic runtime information provision for a container implementing anSMF. The electronic device includes a non-transitory computer-readablemedium having stored therein a container manager, and a processorcoupled to the non-transitory computer-readable medium. The processorexecutes the container manager. The container manager starts a containerimage load, the container image including at least a secret sub unit andan application sub unit, the application sub unit providing the SMF,determines an input source to provide a secret value for the container,the input source identified by information in the secret sub unit in thecontainer image, and provides the secret value to a destination sub unitof the container.

In on embodiment, an electronic device in a 3GPP 5G mobile network core,the electronic device configured to implement a container managementsystem, the container management system to support managing dynamicruntime information provision for a container implementing an AMF. Theelectronic device includes a non-transitory computer-readable mediumhaving stored therein a container manager, and a processor coupled tothe non-transitory computer-readable medium. The processor executes thecontainer manager, the container manager starts a container image load,the container image including at least a secret sub unit and anapplication sub unit, the application sub unit providing the AMF,determines an input source to provide a secret value for the container,the input source identified by information in the secret sub unit in thecontainer image, and provides the secret value to a destination sub unitof the container.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the followingdescription and accompanying drawings that are used to illustrateembodiments of the invention. In the drawings:

FIG. 1 is a diagram of one embodiment of a network of computing devicesfunctioning as platform including a set of server hosts to manage a setof containers.

FIG. 2 is a diagram of one embodiment of a container image beingprocessed to instantiate a container with a secrets sub unit.

FIG. 3 is a flowchart of one embodiment of a process for containerinstantiation that supports secrets injection.

FIG. 4 is a diagram of one example of a virtualized operatingenvironment for the embodiments.

FIG. 5 is a diagram of one example of a 3^(rd) generation partnershipproject (3GPP) 5^(th) generation (5G) mobile network.

FIG. 6 is a flowchart of one embodiment of a process for secretinjection for 5G functions.

FIG. 7A illustrates connectivity between network devices (NDs) within anexemplary network, as well as three exemplary implementations of theNDs, according to some embodiments of the invention.

FIG. 7B illustrates an exemplary way to implement a special-purposenetwork device according to some embodiments of the invention.

FIG. 7C illustrates various exemplary ways in which virtual networkelements (VNEs) may be coupled according to some embodiments of theinvention.

FIG. 7D illustrates a network with a single network element (NE) on eachof the NDs, and within this straight forward approach contrasts atraditional distributed approach (commonly used by traditional routers)with a centralized approach for maintaining reachability and forwardinginformation (also called network control), according to some embodimentsof the invention.

FIG. 7E illustrates the simple case of where each of the NDs implementsa single NE, but a centralized control plane has abstracted multiple ofthe NEs in different NDs into (to represent) a single NE in one of thevirtual network(s), according to some embodiments of the invention.

FIG. 7F illustrates a case where multiple VNEs are implemented ondifferent NDs and are coupled to each other, and where a centralizedcontrol plane has abstracted these multiple VNEs such that they appearas a single VNE within one of the virtual networks, according to someembodiments of the invention.

FIG. 8 illustrates a general purpose control plane device withcentralized control plane (CCP) software 850), according to someembodiments of the invention.

DETAILED DESCRIPTION

The following description describes methods and apparatus for managingthe provisioning of secrets to containers that are constructed based oncontainer images that include a secret sub unit where the secret subunit defines the parameters for determining the requisite secret valuesat runtime. The embodiments enable dynamic provisioning of secretswhereby the security of the secrets is better maintained and they can begenerated in a standardized manner at run time on a per instance basis.In particular the embodiments enable dynamic provisioning of secrets tonetwork elements from a 3^(rd) generation partnership project (3GPP)5^(th) generation (5G) mobile network core that are instantiated as subunits of the containers.

In the following description, numerous specific details such as logicimplementations, opcodes, means to specify operands, resourcepartitioning/sharing/duplication implementations, types andinterrelationships of system components, and logicpartitioning/integration choices are set forth in order to provide amore thorough understanding of the present invention. It will beappreciated, however, by one skilled in the art that the invention maybe practiced without such specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure the invention.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to affect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

Bracketed text and blocks with dashed borders (e.g., large dashes, smalldashes, dot-dash, and dots) may be used herein to illustrate optionaloperations that add additional features to embodiments of the invention.However, such notation should not be taken to mean that these are theonly options or optional operations, and/or that blocks with solidborders are not optional in certain embodiments of the invention.

In the following description and claims, the terms “coupled” and“connected,” along with their derivatives, may be used. It should beunderstood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may ormay not be in direct physical or electrical contact with each other,co-operate or interact with each other. “Connected” is used to indicatethe establishment of communication between two or more elements that arecoupled with each other.

An electronic device stores and transmits (internally and/or with otherelectronic devices over a network) code (which is composed of softwareinstructions and which is sometimes referred to as computer program codeor a computer program) and/or data using machine-readable media (alsocalled computer-readable media), such as machine-readable storage media(e.g., magnetic disks, optical disks, solid state drives, read onlymemory (ROM), flash memory devices, phase change memory) andmachine-readable transmission media (also called a carrier) (e.g.,electrical, optical, radio, acoustical or other form of propagatedsignals—such as carrier waves, infrared signals). Thus, an electronicdevice (e.g., a computer) includes hardware and software, such as a setof one or more processors (e.g., wherein a processor is amicroprocessor, controller, microcontroller, central processing unit,digital signal processor, application specific integrated circuit, fieldprogrammable gate array, other electronic circuitry, a combination ofone or more of the preceding) coupled to one or more machine-readablestorage media to store code for execution on the set of processorsand/or to store data. For instance, an electronic device may includenon-volatile memory containing the code since the non-volatile memorycan persist code/data even when the electronic device is turned off(when power is removed), and while the electronic device is turned onthat part of the code that is to be executed by the processor(s) of thatelectronic device is typically copied from the slower non-volatilememory into volatile memory (e.g., dynamic random access memory (DRAM),static random access memory (SRAM)) of that electronic device.

Typical electronic devices also include a set or one or more physicalnetwork interface(s) (NI(s)) to establish network connections (totransmit and/or receive code and/or data using propagating signals) withother electronic devices. For example, the set of physical NIs (or theset of physical NI(s) in combination with the set of processorsexecuting code) may perform any formatting, coding, or translating toallow the electronic device to send and receive data whether over awired and/or a wireless connection. In some embodiments, a physical NImay comprise radio circuitry capable of receiving data from otherelectronic devices over a wireless connection and/or sending data out toother devices via a wireless connection. This radio circuitry mayinclude transmitter(s), receiver(s), and/or transceiver(s) suitable forradiofrequency communication. The radio circuitry may convert digitaldata into a radio signal having the appropriate parameters (e.g.,frequency, timing, channel, bandwidth, etc.). The radio signal may thenbe transmitted via antennas to the appropriate recipient(s). In someembodiments, the set of physical NI(s) may comprise network interfacecontroller(s) (NICs), also known as a network interface card, networkadapter, or local area network (LAN) adapter. The NIC(s) may facilitatein connecting the electronic device to other electronic devices allowingthem to communicate via wire through plugging in a cable to a physicalport connected to a NIC. One or more parts of an embodiment of theinvention may be implemented using different combinations of software,firmware, and/or hardware.

A network device (ND) is an electronic device that communicativelyinterconnects other electronic devices on the network (e.g., othernetwork devices, end-user devices). Some network devices are “multipleservices network devices” that provide support for multiple networkingfunctions (e.g., routing, bridging, switching, Layer 2 aggregation,session border control, Quality of Service, and/or subscribermanagement), and/or provide support for multiple application services(e.g., data, voice, and video).

Overview of Secret Injection

When running a platform that utilizes containers, some of thesecontainers will require ‘secrets’ that are determined at runtime. These‘secrets’ are data items such as cryptographic keys (e.g., privatekeys), passcodes or similar data that enables an instance of a containeror a component of an instance of a container (e.g., an application) tohave a unique secret that is distinct from other instances of the samecontainer image. For example, a web server to be executed in a containermay need a private key if it intends to serve transport layer security(TLS)-protected sessions. In other examples, an application running in acontainer that connects to a database might need a database password.

When the container image is being developed, the developer knows whatsecrets will be needed and how the container image will consume thesesecrets. For example, the developer will know that a private key isneeded for a web server and that it must appear within the container ina certain file. However, the actual secret value (e.g., a private keyvalue) for any given instance of the container image is not known untilruntime, and will usually be different for every instantiation.Furthermore, unlike configuration data, secrets are sensitive and mustbe protected from unauthorized access. Thus, such secrets cannot form apart of the container image itself both for the dynamic per instanceaspect and for the security of the information.

The existing processes for providing secrets to containers have variousproblems. These processes have security issues, complexity orinconvenience issues and a lack of standardization. The security issuesrequire very careful implementation to avoid exposing the secrets. Forexample, environment variables related to a container can beunintentionally exposed to other processes within the platform. Also,the container images may not be securely stored, may be commonlyavailable or publicly disseminated or similarly insecure. Thus, thecontainer images cannot protect these secrets and the instantiation ofcontainer images does not have safeguards at the container managementsystem to securely provide the secrets. The complexity and inconvenienceof current processes involves a lack of automation. The knowledge ofwhat secrets are needed, and how the container image expects thesesecrets to be provided at runtime is lost between development andoperation (runtime.) Therefore, it must be transmitted “out of band.”For example, this information must be communicated from developers tooperations personnel. This introduces opportunity for errors.

The lack of standardization arises from the development of containerimages being performed by independent developers. Since there aredifferent ways to inject secrets; different ways to present them; and nostandards, the runtime container management system must be unnecessarilycomplex to handle any of the myriad implementations that developers mayemploy. The container management system must allow for any secret to beinjected in any way to a container image to be instantiated. Operatorsmust have knowledge of the correct approach for each container image.The runtime container management system cannot help the operator orsimplify the process because it has no knowledge of the types of secretseach container image requires and the mechanism for their injection.

Container image files are composed of sub units that, when installedover each other, make up the runtime image of the container. In someembodiments, these sub units may be referred to as ‘layers’ (e.g., inthe Docker container management system) or as ‘packages’ in othercontainer management systems (e.g., the Apcera container managementsystem). The embodiments define a special ‘secrets’ type of sub unit.These secrets sub units do not contain actual secret values. Rather, thesecrets sub unit contain metadata about the secret values required atruntime for the associated container and how the secret values must bepresented to container or a designated sub unit of the container.

At runtime (i.e., at the time that a container image is instantiated asa container by the container management system), rather than simplyloading or layering the secrets sub unit into the container (as is donewith other types of sub units), the container management system willobtain the actual secret values required by the container and arrangethem in the container as directed by the metadata of the secrets subunit. That arrangement might use any possible way to communicateinformation to the container or container sub unit.

The embodiments support each of the possible mechanisms for secretinjection and provide an automated and standardized mechanism for theirprovision to the container image or container sub unit that requires thesecret values. The secret sub unit can identify a place the secretvalues can be placed in the file system (e.g., on disk or in memory), inenvironment variables, as command parameters to the container image, oreven specify a connection to a running container image using some formof inter-process communication (IPC) or protocol. Secret values can beextracted at runtime from some secret store (e.g., a file or databaseaccessible to the container management system). The secret values can beentered by a user (e.g., by an operator) at the prompting of thecontainer management system based on the defined metadata of the secretsub unit. The secret values can be generated dynamically (for example, acertificate generated or issued.) The secret metadata can enable theruntime container management system to intelligently manage and presentthe secrets to the operator.

The presence of the secrets sub unit metadata also enables fine-grainedpolicy controls for further security on the secret values. For example,the secrets sub unit can limit certain users or certain jobs access tocertain secret values. The secrets sub unit can use different secretsfor development versus production jobs. Thus, the embodiments provide anapproach that can be generalized for any kind of configuration data ordynamic (runtime-specific) data required by the container.

The embodiments overcome the limitations of the existing processes. Theembodiments provide standardization of a basic required operations forrunning many container functions (e.g., injection of secret ordynamic/configuration data). The embodiments provide better security forthe secrets being provisioned by supporting mechanisms for providingsecret values without exposing these secret values. The embodimentsprovide a more robust administration of secret values and management ofcontainers while reducing overall container management system overhead.The embodiments provide standardization and automation to reduce errorsin secret provisioning caused by operators having insufficientinformation about the characteristics of the secret values orconfiguration data that are required by each container or container subunit.

FIG. 1 is a diagram of one embodiment of a network of computing devicesfunctioning as a platform including a set of server hosts to manage aset of containers. The FIG. 1 provides one example of a set of computingdevices that implement a platform providing a container managementsystem. In other embodiments, the platform may be implemented by asingle computing device with any configuration of hardware, while infurther embodiments, the components of the platform may be distributedin other combinations and permutations as would be understood by one ofskill in the art. In the example embodiment, the computing devices(Host(s) 1-N) are connected with one another over a local area networkin this example an L3 network. In other embodiments, the computingdevices can be connected over any type of network, interconnect orcommunication system.

The computing devices (Host(1-N) can have similar or varied computingresources, including differing processing capabilities, storagecapabilities and similar physical hardware differences. While theexamples are primarily discussed in terms of physical computing devicesserving as hosts, one skilled in the art would understand thatadditional levels of virtualization are possible such that the platformmay execute on a set of virtual hosts. For sake of clarity, the hostsare discussed as physical computing devices.

Each of the computing devices includes hardware 105 comprising a set ofone or more processor(s) 111 (which can be any type of general purposeof application specific processors), network interface controller(s)(NICs; also known as network interface cards) (which include physicaland virtual interfaces), non-transitory machine-readable storage media113 having stored therein software including the software thatimplements the embodiments described herein, and similar components.During operation, the processor(s) 111 execute the software toinstantiate the platform 103 including any number of constituentcomponents such as a container manager 103, application programminginterfaces (APIs) 121, administrator interface 157 and similarcomponents, as well as one or more sets of one or more applications. Theembodiments may use different forms of virtualization. For example, inone embodiment the platform may encompass the kernel of an operatingsystem (or a shim executing on a base operating system) that allows forthe creation of multiple instances called software containers or simply‘containers’ 101 as used herein that may each be used to execute one (ormore) of the sets of applications supported by the platform, where themultiple containers 101 (also called virtualization engines, virtualprivate servers, or jails) are user spaces (typically a virtual memoryspace) that are separate from each other and separate from the kernelspace in which the operating system is run; and where the set ofapplications running in a given container or user space, unlessexplicitly allowed, cannot access the memory of the other containers orprocesses.

In another embodiment, the platform encompasses a hypervisor (sometimesreferred to as a virtual machine monitor (VMM)) or a hypervisorexecuting on top of a host operating system, and each of the sets ofapplications is run on top of a guest operating system within aninstance called a virtual machine (which may in some cases be considereda tightly isolated form of software container) that is run on top of thehypervisor—the guest operating system and application may not know theyare running on a virtual machine as opposed to running on a “bare metal”host electronic device, or through para-virtualization the operatingsystem and/or application may be aware of the presence of virtualizationfor optimization purposes. In further embodiments, one, some or all ofthe applications are implemented as unikernel(s), which can be generatedby compiling directly with an application only a limited set oflibraries (e.g., from a library operating system (LibOS) includingdrivers/libraries of OS services) that provide the particular OSservices needed by the application. As a unikernel can be implemented torun directly on hardware 105, directly on a hypervisor (in which casethe unikernel is sometimes described as running within a LibOS virtualmachine), or in a software container, embodiments can be implementedfully with unikernels running directly on a hypervisor represented byplatform 103, unikernels running within software containers representedby instances 101, or as a combination of unikernels and theabove-described techniques (e.g., unikernels and virtual machines bothrun directly on a hypervisor, unikernels and sets of applications thatare run in different software containers).

While embodiments of the invention are illustrated with reference tocontainers 101, alternative embodiments may implement the processes andfunctions described herein at vary levels of granularity such as at afiner level granularity (e.g., line card virtual machines virtualizeline cards, control card virtual machine virtualize control cards,etc.); it should be understood that the techniques described herein withreference to container instances also apply to embodiments where such afiner level of granularity and/or unikernels are used.

In certain embodiments, the platform includes a virtual switch thatprovides similar forwarding services as a physical Ethernet switch.Specifically, this virtual switch forwards traffic between containers101 or instances and the NIC(s), as well as optionally between thecontainers 101 or instances; in addition, this virtual switch mayenforce network isolation between the various components of the platformthat by policy are not permitted to communicate with each other (e.g.,by honoring virtual local area networks (VLANs)).

In some embodiments, hosts 1-N may communicate via a virtual network,which is a logical abstraction of a physical network that providesnetwork services (e.g., L2 and/or L3 services). A virtual network can beimplemented as an overlay network (sometimes referred to as a networkvirtualization overlay) that provides network services (e.g., layer 2(L2, data link layer) and/or layer 3 (L3, network layer) services) overan underlay network (e.g., an L3 network, such as an Internet Protocol(IP) network that uses tunnels (e.g., generic routing encapsulation(GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlaynetwork).

The platform 103, as discussed above, can include various componentsincluding a container manager 107, various APIs 121, an administratorinterface 157, and similar components. This listing is not intended tobe exhaustive, rather it sets forward those components most directlyaffected by the processes and embodiments described herein. Thesecomponents can be spread across any combination of the hosts 1-N in anycombination and permutation. Some components, such as the containermanager 107 may have instances on each host, while others may be presentin only a subset of the hosts.

The container manager 107 may be responsible for generating processesand jobs in the platform. The container manager 107 can facilitate theinstantiation of applications and containers 101. As discussed furtherherein below, the container manager 107 may instantiate a container 101or similar structure (e.g., unikernel or VM) by loading a correspondingcontainer image 151 and its constituent sub units 153.

APIs 121 are sets of functions that applications, user (e.g., via anadministrator interface 157 such as a command line interface, terminalor similar interface) and similar entities utilize to request resourcesof the platform including hardware 105. These functions, when invoked,are often referred to as ‘calls’ to the API. Some or all of these APIscan be considered secure APIs that require authentication of therequester before the requests are processed. The authentication isgenerally tied to a set of permissions or an authorization set of a userwho has a set of user credentials that in turn can form or generate auser token. The user credentials or user token can be processed by anauthentication server (not shown) to verify that the user credential orthe user token are valid or authorized.

The platform can support any number of containers 101 distributed acrossany number of the hosts 1-N and in any distribution or organization ofthe containers 101. The containers can be fixed to a particular host orcan be configured by the platform to be capable of being moved, forexample for load balancing, across the set of hosts 1-N. The containerscan have varying user space sizes, accessible resources and similarvariations in characteristics.

In some embodiments, one or more of the hosts 1-N may store copies ofthe container images 151 in the local memory or storage 113. Thecontainer images 151 can be stored in any location accessible to acontainer manager 107 to enable the loading of these container images151 to create a container 101.

In addition, the memory or storage 113 may include a secrets store 155.The secrets store 155 can include any sort of data that may be utilizedduring container instantiation to generate secret values to be injectedto the container 101 or a sub unit of the container. The secrets store155 can include lists of secret values, cryptographic information, orsimilar data that can either be used directly to inject a secret valuedefined by a secret sub unit into a container or can supply theinformation needed to derive such secret values such as hashingalgorithm or similar function that generates values that can be utilizedas secret values or as a portion thereof. In further embodiments, theprinciples, functions and processes described herein may be applied forother types of dynamic configuration of containers atruntime/instantiation. In such cases, the secrets store 155 may be aconfiguration store or similar data storage that contains anyinformation relevant to a configuration or operation of a container thatis dynamic (i.e., must be configured at runtime rather than duringdevelopment) and/or instance specific.

FIG. 2 is a diagram of one embodiment of a process of generating acontainer from a container image. The process illustrates the manner inwhich a container manager 107 generates a container 101 to be executedby the platform from a container image 151. The container manager 107may initiate the generation of a container 101 in response to a requestfrom an administrator via an administrator interface 157 or via anysimilar process. A container image 151 is composed of any number of subunits. These sub units are either code or references to code that areloaded by the container manager 101 into a user space to be executed bythe platform. The container manager 107 thus follows the ‘recipe’defined by the container image 151 to create the container 101. Anynumber of containers 101 can be generated from a single container image151. The embodiments enable each of these containers 101 generated fromthe same container image 151 to have different configuration (i.e.,separate secret values or similar dynamic configuration at runtime). Thetypes of sub units can include operating system (OS) sub units 203,library sub units 205, application sub unit 207 and secret (or dynamicconfiguration) sub unit 201. Any number, combination or sub set of subunits can be included in a given container image 151. The types of subunits described with reference to this example are by way ofillustration and not limitation. One skilled in the art would appreciatethat there may be any number of other types of sub units that may bedefined in conjunction with a container image 151.

An OS sub unit 203 can include code or references to code related to anoperating system or portion of an operating system such as a kernel. TheOS sub unit 203 can similarly define or reference functions orinterfaces of an operating system. A library sub unit 205 can define orreference a programming or code library in its entirety or any sub-setof the library as may be utilized by the container or the othercomponents (sub-units) of the container 101. An application sub unit maydefine an application (i.e., a program or set of functions) to beexecuted as part of the container 101. A separate application sub unitmay be defined for each application to be placed in the container or insome embodiments, multiple applications can be defined or referenced bya single application sub unit.

A secret sub unit 201 can define a set of secret information that isrequired by the container including secret information required by othersub units. In other embodiments, the secret sub unit 201 can define anydynamic runtime configuration information and can be referred to as aconfiguration sub unit. The secret sub unit 201 can have a standardizedformat that may specify a process for generating the required secretvalues, how to provide or input these secret values, the sub unitsutilizing the secret values and similar information. The secret subunits can be processed by a runtime secret processing component 211 inthe container manager 107 or a similar component.

The runtime secret processing component 211 can access the metadata andinformation of the secret sub unit 201 and generate the secret valuesrequired as well as inject them into the container 101 or the containercomponents such as an application 221 (shown with an injected secret 223for example), the operating system 225 or component thereof, if presentin the container, a library 227 or similar component of the container101. In some embodiments, the container manager 107 and the runtimesecret processing component 211 can retrieve secret related data from asecret store 155 where specified by a secret sub unit 201. Similarly,the secret sub unit 201 can define information that is to be input by auser/administrator and the runtime secret processing component 211 caninteract with the administrator interface to query a user for therequisite information to generate the secret values to be injected intothe container 101 or its components.

One skilled in the art would appreciate, that the same process andfunction can be applied to an embodiment where the secret sub unit 201defines dynamic configuration requirements (i.e., where there is aconfiguration sub unit). The processes, components and functionsdescribed with relation to secret injection are also applicable andadaptable to dynamic runtime configuration of a container 101 and itscomponents.

In one example embodiment, a secret sub unit may be defined inJavaScript Object Notation (JSON). This example is provided by way ofillustration and not limitations. One skilled in the art wouldunderstand that the secret sub unit can be implemented with otherformats and using other notations or languages.

secrets: { secret: { name: “TLS Key”, type: “RSA_PRIVATE_KEY”, format:“BASE64”, destination: { type: “ENVIRONMENT VARIABLE”, name: “TLS_KEY” }prompt: “Please enter the Base64-encoded server private key for TLS” },secret: { name: “DB Password”, type: “Clear Text”, format: “String”,destination: { type: “file”, name: “/usr/var/app/dbpwfile” } prompt:“Please enter the database password” }

In this example, a secret sub unit defines a set of secret values thatare to be determined. For each secret value a ‘name,’type,“format,”destination,' and ‘prompt’ are defined. The name of thefirst secret value is the ‘TLS Key’ and the second secret value name isthe ‘DB Password.’ The first secret value type is ‘RSA_Private_Key’(i.e., a cryptographic key) and the second is clear text. The firstsecret value type is ‘Base64’ (i.e., an ASCII encoding of the key) andthe second is a string. The first and second secret values define adestination where each destination includes a type and name. The firstand second secret values also define strings to be presented as promptswhere the data to be obtained is from a user via an administrativeinput. In other embodiments, other fields can be defined such as inputsources like secret stores or algorithms either by reference orexplicitly within the secret sub unit.

The operations in the flow diagrams will be described with reference tothe exemplary embodiments of the other figures. However, it should beunderstood that the operations of the flow diagrams can be performed byembodiments of the invention other than those discussed with referenceto the other figures, and the embodiments of the invention discussedwith reference to these other figures can perform operations differentthan those discussed with reference to the flow diagrams.

FIG. 3 is a process for runtime secret processing to support containerinstantiation from a container image. In some embodiments, this processis implemented by the container manager. In other embodiments, othercomponents of the container management system or sub-components such asa runtime secret processing component may perform any number orarrangement of these functions. In on embodiment, the process isinitiated in response to a request to instantiate a container and toload the associated container image (Block 301). The container image maybe stored local to or remotely from the container manager. The containerimage may be stored in a single location or its storage may bedistributed over any number of storage devices. Once the container imageis loaded or as it is loaded, the process can identify the sub unitsthat are a part of the container image. (Block 303). A given containerimage can have any number or variety of sub units (i.e., referred to aspackages or layers in some implementations). The sub units can be loadedinto a container or loaded to form a container on the containermanagement system.

In some embodiments, a check is made to determine whether the set of subunits for a container to be instantiated include one or more secret subunits (or where the embodiments support dynamic configuration the subunits may be referred to as configuration sub units) (Block 305). Ifthere are no secret (or configuration) sub units, then the process cancontinue with the instantiation of the container with the defined subunits (Block 307). If there are secret sub units, then the process mayload the secret sub unit and access the meta data stored therein todetermine a number and type of secret values (or configurationparameters) to be determined including the source of the secret values(configuration parameters) and the destination of the secret values(configuration parameters) (Block 309). For example, a secret sub unitmay identify a secret store or similar storage location with a set ofsecret values or similar data to enable the derivation of the secretinformation. In other examples, a set of secret values may be defined tobe determined based on a specified algorithm. The process then generatesor retrieves the secret values from the sources (i.e., a storagelocation, derivation or similar process) (Block 311). In furtherembodiments, the determination of the secret values can includegeneration of a query or similar interaction with a user such as anadministrator to receive some portion of the secret value or informationto be utilized in the generation of the secret value such as a seed fora number generation algorithm. The process can use any combination ofstored, user supplied or derived information to generate the secretsrequired by the secret sub unit.

Once the secret values have been determined in accord with thedefinition of the secret sub unit (or the dynamic configurationinformation has been similarly determined), then the process cancomplete the instantiation of the other container sub units (Block 313).In other embodiments, the other sub units can be loaded and/orinstantiated in parallel or before the secret sub unit and secret valuedetermination. The secret values can be provided to a target destinationas defined by the secret sub unit (Block 315). The target can be anycomponent or sub unit of the container being instantiated. The secretvalues can be provided by any communication mechanism such as via aninter-process communication, message, input parameter or similarmechanism for passing the secret information to the sub unit or similarcomponent of a container.

In this manner, a secret sub unit can define a standardized method andformat for determining secret values at run time and on a per instancebasis. This process can be repeated for each instance of a containerimage that is being generated as a container thereby providing separateunique values to each container in the manner that is standardized forthe container manager. This avoids differing approaches that may bedefined entirely by developers that are not standardized and do notprotect secrecy of the information on a per instance basis for eachcontainer.

FIG. 4 is a schematic block diagram illustrating a virtualizationenvironment in which functions implemented by some embodiments may bevirtualized. As discussed further herein above, in the present context,virtualizing means creating virtual versions of apparatuses or deviceswhich may include virtualizing hardware platforms, storage devices andnetworking resources. As used herein, virtualization can be applied toprovide a platform that executes over a set of physical hardwarecomponents and relates to an implementation in which at least a portionof the functionality is implemented as one or more virtual components(e.g., via one or more applications, components, functions, virtualmachines or containers executing on one or more physical processingcomponents).

In some embodiments, some or all of the functions described herein maybe implemented as virtual components executed by one or more containersor virtual machines implemented in one or more virtual environments 400hosted by one or more of hardware components 430.

The functions of the embodiments may be implemented as part of thevirtualization layer 450, which supports one or more applications 420(which may alternatively be called software instances, virtualappliances, network functions, virtual nodes, virtual network functions,or the like) operative to implement features, functions, and/or benefitsof any type of program. Applications 420 are run in virtualizationenvironment 400 such as containers which isolate the applications fromhardware 430 comprising processing circuitry 460 and memory 490. Memory490 contains instructions 495 executable by processing circuitry 460whereby applications 420 can be executed as part of the virtualizationenvironment 400.

The virtualization layer 450 can be executed by general-purpose orspecial-purpose network hardware devices 430 that may include a set ofone or more processors or processing circuitry 460, which may becommercial off-the-shelf (COTS) processors, dedicated ApplicationSpecific Integrated Circuits (ASICs), or any other type of processingcircuitry including digital or analog hardware components or specialpurpose processors. Each hardware device may comprise memory 490-1 whichmay be non-persistent memory for temporarily storing instructions 495 orsoftware executed by processing circuitry 460. Each hardware device mayinclude one or more network interface controllers (NICs) 470, also knownas network interface cards, which include physical network interface480. Each hardware device may also include non-transitory, persistent,machine-readable storage media 490-2 having stored therein software 495and/or instructions executable by processing circuitry 460. Software 495may include any type of software including software for instantiatingone or more virtualization layers 450 (also referred to as hypervisors),software to execute virtual machines 440 as well as software allowing itto execute functions, features and/or benefits described in relationwith some embodiments described herein.

Containers 400 may include the applications 420 and other sub units 440,that support virtual processing, virtual memory, virtual networking orinterface and virtual storage, and may be run by a correspondingvirtualization layer 450 or hypervisor. Different embodiments of theinstances of applications 420 may be implemented within one or more ofvirtual machines or containers 400, and the implementations may be madein different ways.

During operation, processing circuitry 460 executes software 495 toinstantiate the hypervisor or virtualization layer 450, which maysometimes be referred to as a virtual machine monitor (VMM).Virtualization layer 450 may present a virtual operating platform orcontainer management system.

As shown in FIG. 4, hardware 430 may be a standalone network node withgeneric or specific components. Hardware 430 may include any hardwarecomponents and may implement some functions via virtualization.Alternatively, hardware 430 may be part of a larger cluster of hardware(e.g. such as in a data center or customer premise equipment (CPE))where many hardware nodes work together and are managed via managementand orchestration (MANO) 400, which, among others, oversees lifecyclemanagement of applications 420.

Secret Injection for 5G Mobile Network Core Network Elements

FIG. 5 is a diagram of one example of a 3^(rd) generation partnershipproject (3GPP) 5^(th) generation (5G) mobile network. In someembodiments, the injection of secrets into containers can be utilizedwith the functions of a 5G mobile network, in particular the networkelements of the 5G mobile network core 500. The network elements are thefunctions and operations of the 5G mobile network core 500, a set of thenetwork elements, as illustrated, are provided by way of example and notlimitation. One skilled in the art would understand that the embodimentscan be utilized in combination with other network elements, functionsand process, including those of prior mobile networking technologiessuch as 4G long term evolution (LTE), and similar technologies. Theexample 5G mobile network core 500 can be consistent with the “SystemArchitecture for the 5G System” as defined in TS 23.501 by 3GPP or asdefined in similar standards.

In the example embodiments, the 5G mobile network core 500 enablescommunication of a user equipment (UE) with other UEs and electronicdevices communicatively connected to the 5G mobile network core 500 orwith electronic devices connected to the data network 519 via the 5Gmobile network core 500. The 5G mobile network core 500 includes anumber of functions that can be distributed over any number andcombination of electronic devices including the electronic devices of abase station, radio access network (RAN), and other devices in the 5Gmobile network core 500. For sake of clarity and conciseness, theexample of a single UE 501 connected to the 5G mobile network core 500is provided, where the UE 501 connects to the 5G mobile network core 500via the RAN including the next generation node basestation (gNodeB) 503and similar components of the RAN. The RAN can include any number ofgNodeBs 503 that service any number of UEs 501.

The UE 501 connects to the 5G mobile network core 500 via the gNodeB503. Specifically, the UE 501 connects to the access and mobilitymanagement function (AMF) 505. The functions and services of the 5Gmobile network core 500 communicate via a set of interfaces or referencepoints (e.g., N1-N14). The reference points can be point to pointinterfaces that interconnect the network functions where particularsignaling procedures can be defined for each point to point interface.Some network functions can be connected via service interfaces or acommon bus architecture. For sake of clarity and conciseness some of thedetails of the communication of the components of the 5G mobile networkcore 500 are omitted. Those skilled in the art would understand theoperation of possible communication mechanisms, e.g., as defined in TS23.501, between the components of the 5G mobile network core 500 asdescribed herein.

The AMF 505 is responsible for the termination of the non-access stratum(NAS) N1 reference point including NAS ciphering and integrityprotection, mobility management, lawful intercept (e.g., for AMFevents), serving as a transparent proxy for routing accessauthentication and SM messages, access authentication, accessauthorization, security anchor function (SEA), security contextmanagement (SCM), and similar functions. In this regard, N2 is thereference point between the gNodeB 503 (and the RAN) and the AMF 505.

The user plane function (UPF) 513 is connected to the gNodeB 503 (i.e.,via reference point N3) and the session management function (SMF) 511(i.e., via reference point N4). The UPF 513 functions include quality ofservice (QoS) handling for user plane data, packet routing andforwarding, packet inspection and policy rule enforcement, lawfulintercept (e.g., of the user plane), traffic accounting and reporting,serving as an anchor point for intra-/inter-radio access technologiesmobility, facilitating interaction with external data networks 519 fortransport of signaling for protocol data unit (PDU) sessionauthorization/authentication by the external data network 519, andsimilar functions.

The session management control function (SMF) 511 is connected to theAMF 505 via the N11 reference point and to the UPF via the N4 referencepoint. The SMF 511 functions include session management, UE InternetProtocol (IP) address allocation and management (including optionalauthorization), selection and control of user plane functions,termination of interfaces (i.e., reference point N7) towards policycontrol and charging functions (PCF) 515, control of parts of policyenforcement and QoS, lawful intercept (for Session Management events,interface to lawful intercept system (not shown)), termination ofSession Management parts of NAS messages, downlink data notification,initiator of Access Node specific Session Management information, sentvia AMF 505 over N2 to Access Node (e.g., gNodeB 503), roamingfunctionality, handling local enforcement to apply QoS service levelagreements (SLAs) (e.g., visited public land mobile network (VPLMN)),charging data collection and charging interface (e.g., VPLMN), lawfulintercept (in VPLMN for Session Management events and interface tolawful intercept system), and similar functions.

The data network 519 can be any number or variety of external networksof any size or configuration. The data network 519 can provide mobilenetwork operator (MNO) services, Internet access, and similar functionsand services to the 5G mobile network core 500. The data network 519 isconnected to the UPF via reference point N6.

The authentication server function (AUSF) 507 is connected to the AMF505 via reference point N12 and the unified data management function(UDM) via reference point N13. The AUSF 507 performs authenticationprocesses with the UE 501. The unified data management function supportsauthentication credential repository and processing function (ARPF) (notshown), this function stores the long-term security credentials used inauthentication, storing of subscription information, and similarfunctions.

The UDM 509 is connected to the AUSF 507 via the interface N13 and tothe SMF 511 via the interface N10. The UDM 509 manages network userdata. The UDM 509 can be paired with a user data repository (UDR) (notshown), which stores the user data such as customer profile information,customer authentication information, and encryption keys. The UDM isconnected to the SMF 511 via the N10 reference point, to the AUSF 507via N13 reference point, and to the AMF 505 via the N8 reference point.

The policy control function (PCF) 515 is connected to the SMF 511 viathe interface N7 and the AMF 505 via the reference point N15. The PCF515 provides support of unified policy framework to govern networkbehavior, policy rules to control plane function(s) that enforce them,and similar functions.

The application function (AF) 517 is connected to the SMF 511 viareference point N5. The AF 517 requests dynamic policies and/or chargingcontrol, and performs similar functions.

Additional reference points include N9 between instances of UPFs 513 andN14 between instances of AMFs 505.

The use of containers in a 5G mobile network core 500 can have a numberof advantages including cost savings. Compared to the use of virtualmachines, the containers use less hardware resources, because they donot rely on a full operating system to support the operation of thecontainers. In addition, containers have faster startup times, requireless maintenance, and are portable relative to virtual machines.Containers can execute on any Linux or similar host.

The 5G mobile network core 500, as defined by 3GPP, utilizescloud-aligned, service-based architecture (SBA) that spans across all 5Gnetwork elements and similar functions and interactions includingauthentication, security, session management and aggregation of trafficfrom end devices. The 5G mobile network core 500 further supports NFV asan integral design concept with virtualized software functions capableof being deployed using the multi-access edge computing (MEC)infrastructure that is utilized with 5G mobile network architecturalprinciples. A carrier-grade 5G mobile network core can be deployed oncontainers provided the entire container ecosystem is deployed usingwell-defined APIs.

5G mobile networks support security features detailed by the 3GPPstandards including unified authentication to decouple authenticationfrom access points, extensible authentication protocols to accommodatesecure transactions, flexible security policies to address more usecases and subscriber permanent identifiers (SUPI) to ensure privacy onthe network. The embodiments support these security features withsecrets injection that is extend to 5G mobile network corefunctionalities that are containerized.

FIG. 6 is a flowchart of one embodiment of a process for secretinjection for network elements in a 5G mobile network core. In someembodiments, this process is implemented by the container manager. Inother embodiments, other components of the container management systemor sub-components such as a runtime secret processing component mayperform any number or arrangement of these functions. In one embodiment,the process is initiated in response to a request to instantiate acontainer and to load the associated container image (Block 601). Thisprocess can be initiated by any process on any electronic device withinthe 5G mobile network core. The container manager can be executed by anyelectronic device within the 5G mobile network core. The container imagemay be stored local to or remotely from the container manager. Thecontainer image may be stored in a single location or its storage may bedistributed over any number of storage devices within the 5G mobilenetwork core or in communication therewith. Once the container image isloaded or as it is loaded, the process can identify the sub units thatare a part of the container image (Block 603). A given container imagecan have any number or variety of sub units (i.e., referred to aspackages or layers in some implementations). The sub units can be loadedinto a container or loaded to form a container on the containermanagement system. The sub units can include network element sub unitthat implement the various network elements and functions as describedherein including, but not limited to, an AMF, SMF, AUSF, UDM, PCF, AF,UPF, and similar network elements.

In some embodiments, a check is made to determine whether the set of subunits for a container to be instantiated include one or more secret subunits (or where the embodiments support dynamic configuration the subunits may be referred to as configuration sub units) (Block 605). Ifthere are no secret (or configuration) sub units, then the process cancontinue with the instantiation of the container with the defined subunits (Block 607). If there are secret sub units, then the process mayload the secret sub unit and access the meta data stored therein todetermine a number and type of secret values (or configurationparameters) to be determined including the source of the secret values(configuration parameters) and the destination of the secret values(configuration parameters) (Block 609). For example, a secret sub unitmay identify a secret store or similar storage location with a set ofsecret values or similar data to enable the derivation of the secretinformation that is within the 5G mobile network core or accessible tothe network elements of the 5G mobile network core. In other examples, aset of secret values may be defined to be determined based on aspecified algorithm. The process then generates or retrieves the secretvalues from the sources (i.e., a storage location, derivation or similarprocess) (Block 611). The algorithm, location, derivation, or relatedprocess can be configured by the MNO or can be specific to the MNO Infurther embodiments, the determination of the secret values can includegeneration of a query or similar interaction with a user such as anadministrator to receive some portion of the secret value or informationto be utilized in the generation of the secret value such as a seed fora number generation algorithm. The process can use any combination ofstored, user supplied or derived information to generate the secretsrequired by the secret sub unit.

Once the secret values have been determined in accord with thedefinition of the secret sub unit (or the dynamic configurationinformation has been similarly determined), then the process cancomplete the instantiation of the other container sub units includingany one or more of the network element sub units (Block 613). In otherembodiments, the other sub units can be loaded and/or instantiated inparallel or before the secret sub unit and secret value determination.The secret values can be provided to a target destination as defined bythe secret sub unit (Block 615). The target can be any component or subunit of the container being instantiated. In these example embodiments,the destination sub units are network element sub units (e.g., an AMF,SMF, AUSF, UDM, PCF, AF, UPF). The secret values can be provided by anycommunication mechanism such as via an inter-process communication,message, input parameter or similar mechanism for passing the secretinformation to the sub unit or similar component of a container.

In this manner, a secret sub unit can define a standardized method andformat for determining secret values at run time and on a per instancebasis. This process can be repeated for each instance of a containerimage that is being generated as a container thereby providing separateunique values to each container and for each destination sub unit in acontainer in the manner that is standardized for the container manager.This avoids differing approaches that may be defined entirely bydevelopers that are not standardized and do not protect secrecy of theinformation on a per instance basis for each container. In someembodiments, the process can be used to configure and ensure that asecret is unique to a network element or container within the 5G mobilenetwork core.

FIG. 7A illustrates connectivity between network devices (NDs) within anexemplary network, as well as three exemplary implementations of theNDs, according to some embodiments of the invention. FIG. 7A shows NDs700A-H, and their connectivity by way of lines between 700A-700B,700B-700C, 700C-700D, 700D-700E, 700E-700F, 700F-700G, and 700A-700G, aswell as between 700H and each of 700A, 700C, 700D, and 700G. These NDsare physical devices, and the connectivity between these NDs can bewireless or wired (often referred to as a link). An additional lineextending from NDs 700A, 700E, and 700F illustrates that these NDs actas ingress and egress points for the network (and thus, these NDs aresometimes referred to as edge NDs; while the other NDs may be calledcore NDs).

Two of the exemplary ND implementations in FIG. 7A are: 1) aspecial-purpose network device 702 that uses custom application—specificintegrated—circuits (ASICs) and a special-purpose operating system (OS);and 2) a general purpose network device 704 that uses commonoff-the-shelf (COTS) processors and a standard OS.

The special-purpose network device 702 includes networking hardware 710comprising a set of one or more processor(s) 712, forwarding resource(s)714 (which typically include one or more ASICs and/or networkprocessors), and physical network interfaces (NIs) 716 (through whichnetwork connections are made, such as those shown by the connectivitybetween NDs 700A-H), as well as non-transitory machine readable storagemedia 718 having stored therein networking software 720. Duringoperation, the networking software 720 may be executed by the networkinghardware 710 to instantiate a set of one or more networking softwareinstance(s) 722. Each of the networking software instance(s) 722, andthat part of the networking hardware 710 that executes that networksoftware instance (be it hardware dedicated to that networking softwareinstance and/or time slices of hardware temporally shared by thatnetworking software instance with others of the networking softwareinstance(s) 722), form a separate virtual network element 730A-R. Eachof the virtual network element(s) (VNEs) 730A-R includes a controlcommunication and configuration module 732A-R (sometimes referred to asa local control module or control communication module) and forwardingtable(s) 734A-R, such that a given virtual network element (e.g., 730A)includes the control communication and configuration module (e.g.,732A), a set of one or more forwarding table(s) (e.g., 734A), and thatportion of the networking hardware 710 that executes the virtual networkelement (e.g., 730A).

In some embodiments, the networking software 720 can include thecontainer manager 765 and similar elements of the embodiments. Thecontainer manager 765 can execute on processors 712 and similar hardware710.

The special-purpose network device 702 is often physically and/orlogically considered to include: 1) a ND control plane 724 (sometimesreferred to as a control plane) comprising the processor(s) 712 thatexecute the control communication and configuration module(s) 732A-R;and 2) a ND forwarding plane 726 (sometimes referred to as a forwardingplane, a data plane, or a media plane) comprising the forwardingresource(s) 714 that utilize the forwarding table(s) 734A-R and thephysical NIs 716. By way of example, where the ND is a router (or isimplementing routing functionality), the ND control plane 724 (theprocessor(s) 712 executing the control communication and configurationmodule(s) 732A-R) is typically responsible for participating incontrolling how data (e.g., packets) is to be routed (e.g., the next hopfor the data and the outgoing physical NI for that data) and storingthat routing information in the forwarding table(s) 734A-R, and the NDforwarding plane 726 is responsible for receiving that data on thephysical NIs 716 and forwarding that data out the appropriate ones ofthe physical NIs 716 based on the forwarding table(s) 734A-R.

FIG. 7B illustrates an exemplary way to implement the special-purposenetwork device 702 according to some embodiments of the invention. FIG.7B shows a special-purpose network device including cards 738 (typicallyhot pluggable). While in some embodiments the cards 738 are of two types(one or more that operate as the ND forwarding plane 726 (sometimescalled line cards), and one or more that operate to implement the NDcontrol plane 724 (sometimes called control cards)), alternativeembodiments may combine functionality onto a single card and/or includeadditional card types (e.g., one additional type of card is called aservice card, resource card, or multi-application card). A service cardcan provide specialized processing (e.g., Layer 4 to Layer 7 services(e.g., firewall, Internet Protocol Security (IPsec), Secure SocketsLayer (SSL)/Transport Layer Security (TLS), Intrusion Detection System(IDS), peer-to-peer (P2P), Voice over IP (VoIP) Session BorderController, Mobile Wireless Gateways (Gateway General Packet RadioService (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)).By way of example, a service card may be used to terminate IPsec tunnelsand execute the attendant authentication and encryption algorithms.These cards are coupled together through one or more interconnectmechanisms illustrated as backplane 736 (e.g., a first full meshcoupling the line cards and a second full mesh coupling all of thecards).

Returning to FIG. 7A, the general purpose network device 704 includeshardware 740 comprising a set of one or more processor(s) 742 (which areoften COTS processors) and physical NIs 746, as well as non-transitorymachine readable storage media 748 having stored therein software 750.During operation, the processor(s) 742 execute the software 750 toinstantiate one or more sets of one or more applications 764A-R. Whileone embodiment does not implement virtualization, alternativeembodiments may use different forms of virtualization. For example, inone such alternative embodiment the virtualization layer 754 representsthe kernel of an operating system (or a shim executing on a baseoperating system) that allows for the creation of multiple instances762A-R called software containers that may each be used to execute one(or more) of the sets of applications 764A-R; where the multiplesoftware containers (also called virtualization engines, virtual privateservers, or jails) are user spaces (typically a virtual memory space)that are separate from each other and separate from the kernel space inwhich the operating system is run; and where the set of applicationsrunning in a given user space, unless explicitly allowed, cannot accessthe memory of the other processes. In another such alternativeembodiment the virtualization layer 754 represents a hypervisor(sometimes referred to as a virtual machine monitor (VMM)) or ahypervisor executing on top of a host operating system, and each of thesets of applications 764A-R is run on top of a guest operating systemwithin an instance 762A-R called a virtual machine (which may in somecases be considered a tightly isolated form of software container) thatis run on top of the hypervisor—the guest operating system andapplication may not know they are running on a virtual machine asopposed to running on a “bare metal” host electronic device, or throughpara-virtualization the operating system and/or application may be awareof the presence of virtualization for optimization purposes. In yetother alternative embodiments, one, some or all of the applications areimplemented as unikernel(s), which can be generated by compilingdirectly with an application only a limited set of libraries (e.g., froma library operating system (LibOS) including drivers/libraries of OSservices) that provide the particular OS services needed by theapplication. As a unikernel can be implemented to run directly onhardware 740, directly on a hypervisor (in which case the unikernel issometimes described as running within a LibOS virtual machine), or in asoftware container, embodiments can be implemented fully with unikernelsrunning directly on a hypervisor represented by virtualization layer754, unikernels running within software containers represented byinstances 762A-R, or as a combination of unikernels and theabove-described techniques (e.g., unikernels and virtual machines bothrun directly on a hypervisor, unikernels and sets of applications thatare run in different software containers).

In some embodiments, the software 750 can include the container manager765 and similar elements of the embodiments. The container manager 765can execute on processors 742 and similar hardware 740.

The instantiation of the one or more sets of one or more applications764A-R, as well as virtualization if implemented, are collectivelyreferred to as software instance(s) 752. Each set of applications764A-R, corresponding virtualization construct (e.g., instance 762A-R)if implemented, and that part of the hardware 740 that executes them (beit hardware dedicated to that execution and/or time slices of hardwaretemporally shared), forms a separate virtual network element(s) 760A-R.

The virtual network element(s) 760A-R perform similar functionality tothe virtual network element(s) 730A-R—e.g., similar to the controlcommunication and configuration module(s) 732A and forwarding table(s)734A (this virtualization of the hardware 740 is sometimes referred toas network function virtualization (NFV)). Thus, NFV may be used toconsolidate many network equipment types onto industry standard highvolume server hardware, physical switches, and physical storage, whichcould be located in Data centers, NDs, and customer premise equipment(CPE). While embodiments of the invention are illustrated with eachinstance 762A-R corresponding to one VNE 760A-R, alternative embodimentsmay implement this correspondence at a finer level granularity (e.g.,line card virtual machines virtualize line cards, control card virtualmachine virtualize control cards, etc.); it should be understood thatthe techniques described herein with reference to a correspondence ofinstances 762A-R to VNEs also apply to embodiments where such a finerlevel of granularity and/or unikernels are used.

In certain embodiments, the virtualization layer 754 includes a virtualswitch that provides similar forwarding services as a physical Ethernetswitch. Specifically, this virtual switch forwards traffic betweeninstances 762A-R and the physical NI(s) 746, as well as optionallybetween the instances 762A-R; in addition, this virtual switch mayenforce network isolation between the VNEs 760A-R that by policy are notpermitted to communicate with each other (e.g., by honoring virtuallocal area networks (VLANs)).

The third exemplary ND implementation in FIG. 7A is a hybrid networkdevice 706, which includes both custom ASICs/special-purpose OS and COTSprocessors/standard OS in a single ND or a single card within an ND. Incertain embodiments of such a hybrid network device, a platform VM(i.e., a VM that that implements the functionality of thespecial-purpose network device 702) could provide forpara-virtualization to the networking hardware present in the hybridnetwork device 706.

Regardless of the above exemplary implementations of an ND, when asingle one of multiple VNEs implemented by an ND is being considered(e.g., only one of the VNEs is part of a given virtual network) or whereonly a single VNE is currently being implemented by an ND, the shortenedterm network element (NE) is sometimes used to refer to that VNE. Alsoin all of the above exemplary implementations, each of the VNEs (e.g.,VNE(s) 730A-R, VNEs 760A-R, and those in the hybrid network device 706)receives data on the physical NIs (e.g., 716, 746) and forwards thatdata out the appropriate ones of the physical NIs (e.g., 716, 746). Forexample, a VNE implementing IP router functionality forwards IP packetson the basis of some of the IP header information in the IP packet;where IP header information includes source IP address, destination IPaddress, source port, destination port (where “source port” and“destination port” refer herein to protocol ports, as opposed tophysical ports of a ND), transport protocol (e.g., user datagramprotocol (UDP), Transmission Control Protocol (TCP), and differentiatedservices code point (DSCP) values.

FIG. 7C illustrates various exemplary ways in which VNEs may be coupledaccording to some embodiments of the invention. FIG. 7C shows VNEs770A.1-770A.P (and optionally VNEs 770A.Q-770A.R) implemented in ND 700Aand VNE 770H.1 in ND 700H. In FIG. 7C, VNEs 770A.1-P are separate fromeach other in the sense that they can receive packets from outside ND700A and forward packets outside of ND 700A; VNE 770A.1 is coupled withVNE 770H.1, and thus they communicate packets between their respectiveNDs; VNE 770A.2-770A.3 may optionally forward packets between themselveswithout forwarding them outside of the ND 700A; and VNE 770A.P mayoptionally be the first in a chain of VNEs that includes VNE 770A.Qfollowed by VNE 770A.R (this is sometimes referred to as dynamic servicechaining, where each of the VNEs in the series of VNEs provides adifferent service—e.g., one or more layer 4-7 network services). WhileFIG. 7C illustrates various exemplary relationships between the VNEs,alternative embodiments may support other relationships (e.g.,more/fewer VNEs, more/fewer dynamic service chains, multiple differentdynamic service chains with some common VNEs and some different VNEs).

The NDs of FIG. 7A, for example, may form part of the Internet or aprivate network; and other electronic devices (not shown; such as enduser devices including workstations, laptops, netbooks, tablets, palmtops, mobile phones, smartphones, phablets, multimedia phones, VoiceOver Internet Protocol (VOIP) phones, terminals, portable media players,GPS units, wearable devices, gaming systems, set-top boxes, Internetenabled household appliances) may be coupled to the network (directly orthrough other networks such as access networks) to communicate over thenetwork (e.g., the Internet or virtual private networks (VPNs) overlaidon (e.g., tunneled through) the Internet) with each other (directly orthrough servers) and/or access content and/or services. Such contentand/or services are typically provided by one or more servers (notshown) belonging to a service/content provider or one or more end userdevices (not shown) participating in a peer-to-peer (P2P) service, andmay include, for example, public webpages (e.g., free content, storefronts, search services), private webpages (e.g., username/passwordaccessed webpages providing email services), and/or corporate networksover VPNs. For instance, end user devices may be coupled (e.g., throughcustomer premise equipment coupled to an access network (wired orwirelessly)) to edge NDs, which are coupled (e.g., through one or morecore NDs) to other edge NDs, which are coupled to electronic devicesacting as servers. However, through compute and storage virtualization,one or more of the electronic devices operating as the NDs in FIG. 7Amay also host one or more such servers (e.g., in the case of the generalpurpose network device 704, one or more of the software instances 762A-Rmay operate as servers; the same would be true for the hybrid networkdevice 706; in the case of the special-purpose network device 702, oneor more such servers could also be run on a virtualization layerexecuted by the processor(s) 712); in which case the servers are said tobe co-located with the VNEs of that ND.

A virtual network is a logical abstraction of a physical network (suchas that in FIG. 7A) that provides network services (e.g., L2 and/or L3services). A virtual network can be implemented as an overlay network(sometimes referred to as a network virtualization overlay) thatprovides network services (e.g., layer 2 (L2, data link layer) and/orlayer 3 (L3, network layer) services) over an underlay network (e.g., anL3 network, such as an Internet Protocol (IP) network that uses tunnels(e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol(L2TP), IPSec) to create the overlay network).

A network virtualization edge (NVE) sits at the edge of the underlaynetwork and participates in implementing the network virtualization; thenetwork-facing side of the NVE uses the underlay network to tunnelframes to and from other NVEs; the outward-facing side of the NVE sendsand receives data to and from systems outside the network. A virtualnetwork instance (VNI) is a specific instance of a virtual network on aNVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where thatNE/VNE is divided into multiple VNEs through emulation); one or moreVNIs can be instantiated on an NVE (e.g., as different VNEs on an ND). Avirtual access point (VAP) is a logical connection point on the NVE forconnecting external systems to a virtual network; a VAP can be physicalor virtual ports identified through logical interface identifiers (e.g.,a VLAN ID).

Examples of network services include: 1) an Ethernet LAN emulationservice (an Ethernet-based multipoint service similar to an InternetEngineering Task Force (IETF) Multiprotocol Label Switching (MPLS) orEthernet VPN (EVPN) service) in which external systems areinterconnected across the network by a LAN environment over the underlaynetwork (e.g., an NVE provides separate L2 VNIs (virtual switchinginstances) for different such virtual networks, and L3 (e.g., IP/MPLS)tunneling encapsulation across the underlay network); and 2) avirtualized IP forwarding service (similar to IETF IP VPN (e.g., BorderGateway Protocol (BGP)/MPLS IPVPN) from a service definitionperspective) in which external systems are interconnected across thenetwork by an L3 environment over the underlay network (e.g., an NVEprovides separate L3 VNIs (forwarding and routing instances) fordifferent such virtual networks, and L3 (e.g., IP/MPLS) tunnelingencapsulation across the underlay network)). Network services may alsoinclude quality of service capabilities (e.g., traffic classificationmarking, traffic conditioning and scheduling), security capabilities(e.g., filters to protect customer premises from network—originatedattacks, to avoid malformed route announcements), and managementcapabilities (e.g., full detection and processing).

FIG. 7D illustrates a network with a single network element on each ofthe NDs of FIG. 7A, and within this straight forward approach contrastsa traditional distributed approach (commonly used by traditionalrouters) with a centralized approach for maintaining reachability andforwarding information (also called network control), according to someembodiments of the invention. Specifically, FIG. 7D illustrates networkelements (NEs) 770A-H with the same connectivity as the NDs 700A-H ofFIG. 7A.

FIG. 7D illustrates that the distributed approach 772 distributesresponsibility for generating the reachability and forwardinginformation across the NEs 770A-H; in other words, the process ofneighbor discovery and topology discovery is distributed.

For example, where the special-purpose network device 702 is used, thecontrol communication and configuration module(s) 732A-R of the NDcontrol plane 724 typically include a reachability and forwardinginformation module to implement one or more routing protocols (e.g., anexterior gateway protocol such as Border Gateway Protocol (BGP),Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First(OSPF), Intermediate System to Intermediate System (IS-IS), RoutingInformation Protocol (RIP), Label Distribution Protocol (LDP), ResourceReservation Protocol (RSVP) (including RSVP-Traffic Engineering (TE):Extensions to RSVP for LSP Tunnels and Generalized Multi-Protocol LabelSwitching (GMPLS) Signaling RSVP-TE)) that communicate with other NEs toexchange routes, and then selects those routes based on one or morerouting metrics. Thus, the NEs 770A-H (e.g., the processor(s) 712executing the control communication and configuration module(s) 732A-R)perform their responsibility for participating in controlling how data(e.g., packets) is to be routed (e.g., the next hop for the data and theoutgoing physical NI for that data) by distributively determining thereachability within the network and calculating their respectiveforwarding information. Routes and adjacencies are stored in one or morerouting structures (e.g., Routing Information Base (RIB), LabelInformation Base (LIB), one or more adjacency structures) on the NDcontrol plane 724. The ND control plane 724 programs the ND forwardingplane 726 with information (e.g., adjacency and route information) basedon the routing structure(s). For example, the ND control plane 724programs the adjacency and route information into one or more forwardingtable(s) 734A-R (e.g., Forwarding Information Base (FIB), LabelForwarding Information Base (LFIB), and one or more adjacencystructures) on the ND forwarding plane 726. For layer 2 forwarding, theND can store one or more bridging tables that are used to forward databased on the layer 2 information in that data. While the above exampleuses the special-purpose network device 702, the same distributedapproach 772 can be implemented on the general purpose network device704 and the hybrid network device 706.

FIG. 7D illustrates that a centralized approach 774 (also known assoftware defined networking (SDN)) that decouples the system that makesdecisions about where traffic is sent from the underlying systems thatforwards traffic to the selected destination. The illustratedcentralized approach 774 has the responsibility for the generation ofreachability and forwarding information in a centralized control plane776 (sometimes referred to as a SDN control module, controller, networkcontroller, OpenFlow controller, SDN controller, control plane node,network virtualization authority, or management control entity), andthus the process of neighbor discovery and topology discovery iscentralized. The centralized control plane 776 has a south boundinterface 782 with a data plane 780 (sometime referred to theinfrastructure layer, network forwarding plane, or forwarding plane(which should not be confused with a ND forwarding plane)) that includesthe NEs 770A-H (sometimes referred to as switches, forwarding elements,data plane elements, or nodes). The centralized control plane 776includes a network controller 778, which includes a centralizedreachability and forwarding information module 779 that determines thereachability within the network and distributes the forwardinginformation to the NEs 770A-H of the data plane 780 over the south boundinterface 782 (which may use the OpenFlow protocol). Thus, the networkintelligence is centralized in the centralized control plane 776executing on electronic devices that are typically separate from theNDs.

For example, where the special-purpose network device 702 is used in thedata plane 780, each of the control communication and configurationmodule(s) 732A-R of the ND control plane 724 typically include a controlagent that provides the VNE side of the south bound interface 782. Inthis case, the ND control plane 724 (the processor(s) 712 executing thecontrol communication and configuration module(s) 732A-R) performs itsresponsibility for participating in controlling how data (e.g., packets)is to be routed (e.g., the next hop for the data and the outgoingphysical NI for that data) through the control agent communicating withthe centralized control plane 776 to receive the forwarding information(and in some cases, the reachability information) from the centralizedreachability and forwarding information module 779 (it should beunderstood that in some embodiments of the invention, the controlcommunication and configuration module(s) 732A-R, in addition tocommunicating with the centralized control plane 776, may also play somerole in determining reachability and/or calculating forwardinginformation—albeit less so than in the case of a distributed approach;such embodiments are generally considered to fall under the centralizedapproach 774, but may also be considered a hybrid approach).

While the above example uses the special-purpose network device 702, thesame centralized approach 774 can be implemented with the generalpurpose network device 704 (e.g., each of the VNE 760A-R performs itsresponsibility for controlling how data (e.g., packets) is to be routed(e.g., the next hop for the data and the outgoing physical NI for thatdata) by communicating with the centralized control plane 776 to receivethe forwarding information (and in some cases, the reachabilityinformation) from the centralized reachability and forwardinginformation module 779; it should be understood that in some embodimentsof the invention, the VNEs 760A-R, in addition to communicating with thecentralized control plane 776, may also play some role in determiningreachability and/or calculating forwarding information—albeit less sothan in the case of a distributed approach) and the hybrid networkdevice 706. In fact, the use of SDN techniques can enhance the NFVtechniques typically used in the general purpose network device 704 orhybrid network device 706 implementations as NFV is able to support SDNby providing an infrastructure upon which the SDN software can be run,and NFV and SDN both aim to make use of commodity server hardware andphysical switches.

FIG. 7D also shows that the centralized control plane 776 has a northbound interface 784 to an application layer 786, in which residesapplication(s) 788. The centralized control plane 776 has the ability toform virtual networks 792 (sometimes referred to as a logical forwardingplane, network services, or overlay networks (with the NEs 770A-H of thedata plane 780 being the underlay network)) for the application(s) 788.Thus, the centralized control plane 776 maintains a global view of allNDs and configured NEs/VNEs, and it maps the virtual networks to theunderlying NDs efficiently (including maintaining these mappings as thephysical network changes either through hardware (ND, link, or NDcomponent) failure, addition, or removal).

Network controller 787 or similar elements can include any combinationof the components of the embodiments including the container manager781. Any number of the functions of the embodiments can be implementedat the centralized approach 774 or in similar situations in support ofNFV or SDN functions and implementations related to the embodiments.

While FIG. 7D shows the distributed approach 772 separate from thecentralized approach 774, the effort of network control may bedistributed differently or the two combined in certain embodiments ofthe invention. For example: 1) embodiments may generally use thecentralized approach (SDN) 774, but have certain functions delegated tothe NEs (e.g., the distributed approach may be used to implement one ormore of fault monitoring, performance monitoring, protection switching,and primitives for neighbor and/or topology discovery); or 2)embodiments of the invention may perform neighbor discovery and topologydiscovery via both the centralized control plane and the distributedprotocols, and the results compared to raise exceptions where they donot agree. Such embodiments are generally considered to fall under thecentralized approach 774, but may also be considered a hybrid approach.

While FIG. 7D illustrates the simple case where each of the NDs 700A-Himplements a single NE 770A-H, it should be understood that the networkcontrol approaches described with reference to FIG. 7D also work fornetworks where one or more of the NDs 700A-H implement multiple VNEs(e.g., VNEs 730A-R, VNEs 760A-R, those in the hybrid network device706). Alternatively or in addition, the network controller 778 may alsoemulate the implementation of multiple VNEs in a single ND.Specifically, instead of (or in addition to) implementing multiple VNEsin a single ND, the network controller 778 may present theimplementation of a VNE/NE in a single ND as multiple VNEs in thevirtual networks 792 (all in the same one of the virtual network(s) 792,each in different ones of the virtual network(s) 792, or somecombination). For example, the network controller 778 may cause an ND toimplement a single VNE (a NE) in the underlay network, and thenlogically divide up the resources of that NE within the centralizedcontrol plane 776 to present different VNEs in the virtual network(s)792 (where these different VNEs in the overlay networks are sharing theresources of the single VNE/NE implementation on the ND in the underlaynetwork).

On the other hand, FIGS. 7E and 7F respectively illustrate exemplaryabstractions of NEs and VNEs that the network controller 778 may presentas part of different ones of the virtual networks 792. FIG. 7Eillustrates the simple case of where each of the NDs 700A-H implements asingle NE 770A-H (see FIG. 7D), but the centralized control plane 776has abstracted multiple of the NEs in different NDs (the NEs 770A-C andG-H) into (to represent) a single NE 770I in one of the virtualnetwork(s) 792 of FIG. 7D, according to some embodiments of theinvention. FIG. 7E shows that in this virtual network, the NE 770I iscoupled to NE 770D and 770F, which are both still coupled to NE 770E.

FIG. 7F illustrates a case where multiple VNEs (VNE 770A.1 and VNE770H.1) are implemented on different NDs (ND 700A and ND 700H) and arecoupled to each other, and where the centralized control plane 776 hasabstracted these multiple VNEs such that they appear as a single VNE770T within one of the virtual networks 792 of FIG. 7D, according tosome embodiments of the invention. Thus, the abstraction of a NE or VNEcan span multiple NDs.

While some embodiments of the invention implement the centralizedcontrol plane 776 as a single entity (e.g., a single instance ofsoftware running on a single electronic device), alternative embodimentsmay spread the functionality across multiple entities for redundancyand/or scalability purposes (e.g., multiple instances of softwarerunning on different electronic devices).

Similar to the network device implementations, the electronic device(s)running the centralized control plane 776, and thus the networkcontroller 778 including the centralized reachability and forwardinginformation module 779, may be implemented a variety of ways (e.g., aspecial purpose device, a general-purpose (e.g., COTS) device, or hybriddevice). These electronic device(s) would similarly includeprocessor(s), a set of one or more physical NIs, and a non-transitorymachine-readable storage medium having stored thereon the centralizedcontrol plane software. For instance, FIG. 8 illustrates, a generalpurpose control plane device 804 including hardware 840 comprising a setof one or more processor(s) 842 (which are often COTS processors) andphysical NIs 846, as well as non-transitory machine readable storagemedia 848 having stored therein centralized control plane (CCP) software850.

Virtualization layer 854 can include any combination of the componentsof the embodiments including the container manager 881. Similarly, thecontainer manager 881 and related functions can be implemented by theprocessors 842 and related hardware 840 as well as distributed overmultiple electronic or network devices.

In embodiments that use compute virtualization, the processor(s) 842typically execute software to instantiate a virtualization layer 854(e.g., in one embodiment the virtualization layer 854 represents thekernel of an operating system (or a shim executing on a base operatingsystem) that allows for the creation of multiple instances 862A-R calledsoftware containers (representing separate user spaces and also calledvirtualization engines, virtual private servers, or jails) that may eachbe used to execute a set of one or more applications; in anotherembodiment the virtualization layer 854 represents a hypervisor(sometimes referred to as a virtual machine monitor (VMM)) or ahypervisor executing on top of a host operating system, and anapplication is run on top of a guest operating system within an instance862A-R called a virtual machine (which in some cases may be considered atightly isolated form of software container) that is run by thehypervisor; in another embodiment, an application is implemented as aunikernel, which can be generated by compiling directly with anapplication only a limited set of libraries (e.g., from a libraryoperating system (LibOS) including drivers/libraries of OS services)that provide the particular OS services needed by the application, andthe unikernel can run directly on hardware 840, directly on a hypervisorrepresented by virtualization layer 854 (in which case the unikernel issometimes described as running within a LibOS virtual machine), or in asoftware container represented by one of instances 862A-R). Again, inembodiments where compute virtualization is used, during operation aninstance of the CCP software 850 (illustrated as CCP instance 876A) isexecuted (e.g., within the instance 862A) on the virtualization layer854. In embodiments where compute virtualization is not used, the CCPinstance 876A is executed, as a unikernel or on top of a host operatingsystem, on the “bare metal” general purpose control plane device 804.The instantiation of the CCP instance 876A, as well as thevirtualization layer 854 and instances 862A-R if implemented, arecollectively referred to as software instance(s) 852.

In some embodiments, the CCP instance 876A includes a network controllerinstance 878. The network controller instance 878 includes a centralizedreachability and forwarding information module instance 879 (which is amiddleware layer providing the context of the network controller 778 tothe operating system and communicating with the various NEs), and an CCPapplication layer 880 (sometimes referred to as an application layer)over the middleware layer (providing the intelligence required forvarious network operations such as protocols, network situationalawareness, and user—interfaces). At a more abstract level, this CCPapplication layer 880 within the centralized control plane 776 workswith virtual network view(s) (logical view(s) of the network) and themiddleware layer provides the conversion from the virtual networks tothe physical view.

The centralized control plane 776 transmits relevant messages to thedata plane 780 based on CCP application layer 880 calculations andmiddleware layer mapping for each flow. A flow may be defined as a setof packets whose headers match a given pattern of bits; in this sense,traditional IP forwarding is also flow-based forwarding where the flowsare defined by the destination IP address for example; however, in otherimplementations, the given pattern of bits used for a flow definitionmay include more fields (e.g., 10 or more) in the packet headers.Different NDs/NEs/VNEs of the data plane 780 may receive differentmessages, and thus different forwarding information. The data plane 780processes these messages and programs the appropriate flow informationand corresponding actions in the forwarding tables (sometime referred toas flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs mapincoming packets to flows represented in the forwarding tables andforward packets based on the matches in the forwarding tables.

Standards such as OpenFlow define the protocols used for the messages,as well as a model for processing the packets. The model for processingpackets includes header parsing, packet classification, and makingforwarding decisions. Header parsing describes how to interpret a packetbased upon a well-known set of protocols. Some protocol fields are usedto build a match structure (or key) that will be used in packetclassification (e.g., a first key field could be a source media accesscontrol (MAC) address, and a second key field could be a destination MACaddress).

Packet classification involves executing a lookup in memory to classifythe packet by determining which entry (also referred to as a forwardingtable entry or flow entry) in the forwarding tables best matches thepacket based upon the match structure, or key, of the forwarding tableentries. It is possible that many flows represented in the forwardingtable entries can correspond/match to a packet; in this case the systemis typically configured to determine one forwarding table entry from themany according to a defined scheme (e.g., selecting a first forwardingtable entry that is matched). Forwarding table entries include both aspecific set of match criteria (a set of values or wildcards, or anindication of what portions of a packet should be compared to aparticular value/values/wildcards, as defined by the matchingcapabilities—for specific fields in the packet header, or for some otherpacket content), and a set of one or more actions for the data plane totake on receiving a matching packet. For example, an action may be topush a header onto the packet, for the packet using a particular port,flood the packet, or simply drop the packet. Thus, a forwarding tableentry for IPv4/IPv6 packets with a particular transmission controlprotocol (TCP) destination port could contain an action specifying thatthese packets should be dropped.

Making forwarding decisions and performing actions occurs, based uponthe forwarding table entry identified during packet classification, byexecuting the set of actions identified in the matched forwarding tableentry on the packet.

However, when an unknown packet (for example, a “missed packet” or a“match-miss” as used in OpenFlow parlance) arrives at the data plane780, the packet (or a subset of the packet header and content) istypically forwarded to the centralized control plane 776. Thecentralized control plane 776 will then program forwarding table entriesinto the data plane 780 to accommodate packets belonging to the flow ofthe unknown packet. Once a specific forwarding table entry has beenprogrammed into the data plane 780 by the centralized control plane 776,the next packet with matching credentials will match that forwardingtable entry and take the set of actions associated with that matchedentry.

While the invention has been described in terms of several embodiments,those skilled in the art will recognize that the invention is notlimited to the embodiments described, can be practiced with modificationand alteration within the spirit and scope of the appended claims. Thedescription is thus to be regarded as illustrative instead of limiting.

What is claimed is:
 1. A method of managing dynamic runtime informationprovision for a container implementing a Session Management Function(SMF) executed by an electronic device in a 3^(rd) generationpartnership project (3GPP) 5^(th) Generation (5G) mobile network core,the method comprising: starting a container image load, the containerimage including at least a secret sub unit and an application sub unit,the application sub unit providing the SMF; determining an input sourceto provide a secret value for the container, the input source identifiedby information in the secret sub unit in the container image; andproviding the secret value to a destination sub unit of the container.2. The method of claim 1, further comprising: determining thedestination sub unit of the container to receive the secret value is theSMF, the destination sub unit identified by information in the secretsub unit in the container image.
 3. The method of claim 1, wherein thesecret value is unique to the container within the 5G mobile networkcore.
 4. The method of claim 1, wherein the secret source includes analgorithm defined by the secret sub unit.
 5. The method of claim 1,further comprising: generating a query to an administrator interface toretrieve data to be utilized to derive the secret value.
 6. A method ofmanaging dynamic runtime information provision for a containerimplementing an Access and Mobility Management Function (AMF) executedby an electronic device in a 3^(rd) generation partnership project(3GPP) 5^(th) Generation (5G) mobile network core, the methodcomprising: starting a container image load, the container imageincluding at least a secret sub unit and an application sub unit, theapplication sub unit providing the AMF; determining an input source toprovide a secret value for the container, the input source identified byinformation in the secret sub unit in the container image; and providingthe secret value to a destination sub unit of the container.
 7. Themethod of claim 6, further comprising: determining the destination subunit of the container to receive the secret value is the AMF, thedestination sub unit identified by information in the secret sub unit inthe container image.
 8. The method of claim 6, wherein the secret valueis unique to the container.
 9. The method of claim 6, wherein the secretsource includes an algorithm defined by the secret sub unit.
 10. Themethod of claim 6, further comprising: generating a query to anadministrator interface to retrieve data to be utilized to derive thesecret value.
 11. An electronic device in a 3^(rd) generationpartnership project (3GPP) 5^(th) Generation (5G) mobile network core,the electronic device configured to implement a container managementsystem, the container management system to support managing dynamicruntime information provision for a container implementing a SessionManagement Function (SMF), the electronic device comprising: anon-transitory computer-readable medium having stored therein acontainer manager; and a processor coupled to the non-transitorycomputer-readable medium, the processor to execute the containermanager, the container manager to start a container image load, thecontainer image including at least a secret sub unit and an applicationsub unit, the application sub unit providing the SMF, to determine aninput source to provide a secret value for the container, the inputsource identified by information in the secret sub unit in the containerimage, and to provide the secret value to a destination sub unit of thecontainer.
 12. The electronic device of claim 11, further comprising: asecret store coupled to the processor to store information fordetermining the secret value.
 13. The electronic device of claim 11,wherein the container manager includes a runtime secret processingcomponent to generate a query to an administrator interface to retrievedata to be utilized to derive the secret value.
 14. The electronicdevice of claim 11, wherein the container manager is further todetermine the destination sub unit of the container to receive thesecret value is the SMF, the destination sub unit identified byinformation in the secret sub unit in the container image.
 15. Theelectronic device of claim 11, wherein the secret value is unique to thecontainer within the 5G mobile network core.
 16. An electronic device ina 3^(rd) generation partnership project (3GPP) 5^(th) Generation (5G)mobile network core, the electronic device configured to implement acontainer management system, the container management system to supportmanaging dynamic runtime information provision for a containerimplementing an Access and Mobility Management Function (AMF), theelectronic device comprising: a non-transitory computer-readable mediumhaving stored therein a container manager; and a processor coupled tothe non-transitory computer-readable medium, the processor to executethe container manager, the container manager to start a container imageload, the container image including at least a secret sub unit and anapplication sub unit, the application sub unit providing the AMF, todetermine an input source to provide a secret value for the container,the input source identified by information in the secret sub unit in thecontainer image, and to provide the secret value to a destination subunit of the container.
 17. The electronic device of claim 16, furthercomprising: a secret store coupled to the processor to store informationfor determining the secret value.
 18. The electronic device of claim 16,wherein the container manager includes a runtime secret processingcomponent to generate a query to an administrator interface to retrievedata to be utilized to derive the secret value.
 19. The electronicdevice of claim 16, wherein the container manager is further todetermine the destination sub unit of the container to receive thesecret value is the AMF, the destination sub unit identified byinformation in the secret sub unit in the container image.
 20. Theelectronic device of claim 16, wherein the secret value is unique to thecontainer within the 5G mobile network core.